selinux not allowing fuse to mount with todays f8 updates

Daniel J Walsh dwalsh at redhat.com
Thu Mar 13 23:58:25 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Louis E Garcia II wrote:
> On Thu, 2008-03-13 at 16:30 -0400, Daniel J Walsh wrote:
>> Louis E Garcia II wrote:
>>> SELinux is preventing mount (mount_t) "mount" to / (unlabeled_t).
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by mount. It is not expected that this
>>> access is
>>> required by mount and this access may signal an intrusion attempt. It is
>>> also
>>> possible that the specific version or configuration of the application
>>> is
>>> causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>> disable
>>> SELinux protection altogether. Disabling SELinux protection is not
>>> recommended.
>>> Please file a bug report
>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>> against this package.
>>>
>>> Additional Information:
>>>
>>> Source Context                system_u:system_r:mount_t:s0
>>> Target Context                system_u:object_r:unlabeled_t:s0
>>> Target Objects                / [ filesystem ]
>>> Source                        mount
>>> Source Path                   /bin/mount
>>> Port                          <Unknown>
>>> Host                          sonlaptop
>>> Source RPM Packages           util-linux-ng-2.13.1-1.fc8
>>> Target RPM Packages           filesystem-2.4.11-1.fc8
>>> Policy RPM                    selinux-policy-3.0.8-87.fc8
>>> Selinux Enabled               True
>>> Policy Type                   targeted
>>> MLS Enabled                   True
>>> Enforcing Mode                Enforcing
>>> Plugin Name                   catchall
>>> Host Name                     sonlaptop
>>> Platform                      Linux sonlaptop 2.6.24.3-34.fc8 #1 SMP Wed
>>> Mar 12
>>>                               18:17:20 EDT 2008 i686 i686
>>> Alert Count                   2
>>> First Seen                    Thu 13 Mar 2008 10:33:41 AM EDT
>>> Last Seen                     Thu 13 Mar 2008 10:33:41 AM EDT
>>> Local ID                      e4b0a819-9224-4c5c-949d-7e34dce371d2
>>> Line Numbers                  
>>>
>>> Raw Audit Messages            
>>>
>>> host=sonlaptop type=AVC msg=audit(1205418821.88:27): avc:  denied
>>> { mount } for  pid=3419 comm="mount" name="/" dev=fusectl ino=1
>>> scontext=system_u:system_r:mount_t:s0
>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
>>>
>>> host=sonlaptop type=SYSCALL msg=audit(1205418821.88:27): arch=40000003
>>> syscall=21 success=no exit=-13 a0=b8803458 a1=b8804c90 a2=b8803f60
>>> a3=c0ed0001 items=0 ppid=3407 pid=3419 auid=500 uid=0 gid=0 euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="mount"
>>> exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
>>>
>>>
>>>
>> fusectl should be labeled in this release.  Not sure why you are
>> seeing this.
> 
> I have downgraded to fuse-2.7.0-8 just to test but this release also
> does not start. I noticed that in this release:
> -rwsr-xr-x  root fuse
> system_u:object_r:fusermount_exec_t:s0 /bin/fusermount
> 
> as with the updated release fuse-2.7.3-2
> -rwsr-xr-x  root root
> system_u:object_r:fusermount_exec_t:s0 /bin/fusermount
> 
> I do not remember if the policy also was updated. I changed the group to
> fuse with no effect.
> 
> I'm the only one seeing this?
> 
> -Louis
> 
Looks like the fix was added after selinux-policy-3.0.8-87.fc8


Please update to the latest policy in Fedora 8.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfZv6EACgkQrlYvE4MpobP1dwCeMg/iUYRoUTZZeY68vIjz97KU
1PkAn0MV3etjqvDNrBmJ71fD2RAH5ueZ
=wnVb
-----END PGP SIGNATURE-----




More information about the users mailing list